Best practices for securing VNC on LAN?

[Denisson]

Hi.

 

Let's suppose I invited a bad actor over for Coffee and granted them access to my LAN because I'm a friendly host. (Or their friend hacked my VPN.)

Supposing I had many virtual machines on my network running VNC and a couple of them didn't have usernames or passwords. So there was no logon page. Or suppose I left them running with embarrassing photos of myself. 

 

How should I go about securing VNC? 

 

If I add a password, then since the traffic isn't encrypted, my guest could sniff it using his laptop.

For some use cases, such as USB dongles, RDP isn't an option (on Windows,) therefore I must use VNC and I must leave the user session open in some instances.

 

I'm joking about the use-cases above, but it would be nice to have an easy way to add SSL/TLS to the VNC connections from a central place. Even better would be to use Let's Encrypt for each VM, the same way you guys have it working for Web Interface SSL functionality. 

 

Any tips on this are very appreciated.

Other than that, the platform is wonderful and I'm very happy to become a member of this community!

 

Cheers.

[PixelPrint]

Hi, I was wondering it too, everyone in the LAN can access all the VM in the server without any password, so it's mandatory to always keep them locked and with a good login password.

 

There's an easy way to disable VNC for the VMs so i can enable it only when it's really needed? (ideally without a reboot) From the configuration page looks like a virtual gpu is mandatory